Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

itwbennett writes "The takedown of the Mariposa botnet and so-called advanced persistent threat attacks, such as the one that compromised Google systems in early December, were hot topics at the RSA conference last week. What both Mariposa and the Google attacks illustrate, and what went largely unsaid at RSA, was that the security industry has failed to protect paying customers from some of today's most pernicious threats, writes Robert McMillan. Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"

Traditional security products are simply not much help, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. 'All of the victims we've worked with had perfectly installed antivirus,' he said. 'They all had intrusion detection systems and several had Web proxies scan content.'"

Or perhaps stop using losing strategies like Default Permit when it comes to security.

AV software is just an example of Enumerating Badness which in the long run is a very very bad strategy.

Penetration testing is useless as anything other than a metric of how well the system is set up.If penetration testers check your network and find 100 vulnerabilities and you dutifuly fix them all you're barely more secure than before because the problems that lead to those security holes being there in the first place haven't been addressed and it's almost a certainty that there are many many more.It's an example of "Penetrate and Patch" which is a terrible way to do security.

The problem isn't windows. the problem is that people keep using terrible strategies.AV software is useless against a custom virus I write just for attacking your system.Blacklists aren't much good since an attacker only has to get through once.Penetration testing is cool but it's not a way to secure your network.

Or we could do true layered defenses in security and redesign the OS to support them. Don't put crap into ring 0 just for "performance" purposes. Use micro-kernels and use messaging systems for interprocess communications. Place OS files into their own, protected partition and control access rigorously. Sign them. Allow unsigned drivers if need be, but sandbox them. Limit "shared" libraries and directories (hello Microsoft and Adobe). Drop legacy application support unless seriously sandboxed in a virtual environment. Heck, sandbox current applications the same way. And so on.

Today's processors and multi-core systems are fast enough to handle the overhead. Drives are huge. Allocate a full 10% of the processor budget to security. Why should we not sacrifice a few FPS in Quake or Unreal for hardened systems that are much, much, much more resistant to tampering and infection?

While I think them running Windows helped, can you honestly tell me that the attackers couldn't have gotten in through a hole in Linux, Firefox, Flash, or any of the other openings that every usable computer has? With highly targeted attacks like this there's almost nothing that can fully secure the computer, and those things which could fully secure Linux would fully secure Windows as well.

For instance, sandboxing the entire OS. Make them use a separate computer when interacting with the internet as a w

FWIW - I'm not a Websense employee. We just use their products as part of a multi-layered defensive strategy. They had mitigation mechanisms in place a week before Google, Adobe, et al acknowledged that they had been compromised.

Obviously Websense isn't a magic bullet. They wouldn't have prevented the initial infection. All they did wa

Well if I'm writing my virus from scratch then it doesn't really matter since the AV won't detect my virus until the company detects it, analyses it and adds it to their definitions.So the 95% of the market it is.

Yes, you can't just assume from the correlation that people must get more viruses because they install windows. You have to also consider the alternative explanation... that people install more windows because they get viruses!

Coolest troll of the year, you even got modded insightfull. Now, I do have mod points, but it's more fun to refute your "proof" than to mod you down.

A proof in Logic is the situation where every row in the table contains "true", in other words, if the statement is a tautology. Now in the truth table you linked [wikipedia.org], the second line is false, so you cannot prove "if p then q" for every "p" and "q".

Now you could argue that we're not talking about every "p" and "q", but only about the true ones. But then you w

True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.

True, but Windows OS isn't one of them. It costs just as much to buy a PC for a home or small office without preinstalled Windows OS as it does to buy one with preinstalled Windows OS. The common explanation for this is that major shareware publishers subsidize the cost of a Windows OS license by paying PC makers to include unregistered versions of their products in the default install.

You are asserting that the costs of a computer end at purchase, they do not. With Windows, the purchase price is only the beginning of your costs. Anti-virus, maintenance, upgrading, rebooting, these costs dwarf the purchase price.

So in other words, you're saying preinstalled Windows is free only if your time is worth nothing. Where have I heard that one before?

No, he's saying that the total cost of Windows is greater than the purchase cost of Windows. He's also saying that the total cost of Windows is greater than the total cost of some alternative, one which doesn't have the same problems.

Viruses exist for all operating systems.

True.

ake GNU/Linux on x86 for example: a virus running as a limited user can infect all programs installed into a user's home directory.

Also true, with the caveat that on GNU/Linux, a downloaded virus doesn't automatically have the ability to be run.

If Linux had majority desktop market share, it would have the same virus problem as Windows.

This is a non-sequitur, none of your prior assertions implies this.

Windows has RTM through Service Pack 3; Ubuntu has Hardy Heron through Karmic Koala.

Number of upgrades is meaningless, cost of upgrades, in both time and money, is meaningful.

True, a downloaded malicious program needs to be chmod +x, just like the installer for any other program that sits outside the package system. But what exactly were you talking about?

The comparison I was making was to downloaded.exe files in Windows, which by default are executable.

The only time you need to pay for a Windows OS upgrade is either A. for a new machine or B. for the equivalent to an upgrade from one Ubuntu LTS to the next LTS.

A regular release upgrade in Ubuntu is not equivalent to a ServicePack in Windows. Nor is an LTS release upgrade necessarily equivalent to a regular release upgrade in Windows. But either way, Ubuntu releases will continue to be free, where as you'll eventually run out of SP upgrades on your version of Windows.

Ksplice costs 48 USD per year [ksplice.com] unless you're on Ubuntu, and it isn't available for SuSE or Fedora at all.

KSplice Uptrack is a service that costs money. KSplice itself is open source, and available for [ksplice.com]

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.

AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect. Same with IDS and the lot of it.

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better. The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything....

The sooner all end users are clued-in instead of clueless, the sooner we may have a ray of hope.

Did you miss the bit in the summary where they mentioned Google? Now it is possible that Google had no anti-virus, no IDS and doesn't monitor in and outbound web traffic for potential threats, but I think it unlikely.

The security industry will always be unable to protect everyone 100% of the time.

The problem is that they haven't even hit the 50% mark. They cannot even, reliably, detect threats that are over a year old.

AntiVirus is imperfect as it relies on signatures and known processes, and will always be imperfect.

Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better.

I think it is different. The "security industry" depends upon the ignorance of users and the continuation of those users being infected.

It is not in the "security industry"'s best interest to commit to real improvements in security.

So you want to go to a permissions based security model? Something along the lines of what Android does? So when you install the app, it'll tell you every permission that it has, and if you don't agree with them, it doesn't install (Or possibly gives you the option of running in a reduced permissions mode, if the developer allowed it). It's a lot of overhead, but most definitely could have some interesting results in combating these kind of threats. Then again, something like this would need to be intro

Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

Microsoft more or less tried something like this with UAC on Vista, didn't they? Granted, it doesn't matter that much unitl you fix all the other security holes, but the point is that average joe users don't want it, and they make up the majority of the (non-open source) users. It seems to me that asking "Are you sure" before installing software is a good thing, but the marketplace apparently disagreed.

And the fact is, you can say "They'll learn their lesson after they get infected," but the truth is ver

Exactly. Which is why that needs to change. Instead of trying to chase the latest variant of a threat, why not save time and effort and identify the LEGITIMATE files? Then, if something is trying to write a file to the OS portion of your drive, and that file is not recognized, it should block it (and MAYBE allow the user to override it after a few hoops and maybe online comparisons with the latest threat databases).

Data must be cleanly separated from executable code, thus the Von Neumann architecture used today is not up to the task. Harvard architecture is much more secure by default by not mixing instructions and data. Sure, some processors today implement some simple version of this through a bit, that is set when this space is for data only and cannot be executed (NX or DX bit in some processors, for example in Intel Xeon lines starting with Harpertown), it is a good start, but I think there should be a more cle

The security industry will always be unable to protect everyone 100% of the time. It is impossible to protect the clueless from anything.

There's definitely some truth to that. However, I think the security industry is still open to criticism specifically because they're telling the clueless, "Without us you're screwed, but if you buy our product, then you don't need to worry. We have you covered."

The problem is, if you're careful and know what you're doing, you don't really need all of these products on your computer. If you're careless and don't know what you're doing, then this products don't quite solve the problem. In most cases, it

In my opinion, as long as the security industry, and end-users as a whole, continue with the thought that end-user basic security ignorance is OK, things will never get better.
Just wait until YOU have kids. You'll go off to work, secure in the fact that you're an enlightened end-user as far as security goes, and when you get home from work, you'll see how much damage kids can cause in the 2 hours between the end of their school day and the end of your work day.
And, when that happens, just let me say i

People modding this insightful should get a clue-stick. The best defense is relying on systems that have more security build in, not on the end user. The end user will always be clueless and rightfully so. The end user has stopped being computer fanatic for almost 2 decades. And there is a lot of things that can be improved. Buffer overruns should be a thing of the past, applications should not start out with permissions that lie outside their intended use (MS implemented that for IE, which was a seriously

The security industry will always be unable to protect everyone 100% of the time.

...sort of like how the TSA and the government cannot provide 100% security from gangsters/drugdealers/terrorists/. I think that the posted topic reads like the common hysterical notion of, 'Why can't X protect me from dangerous stuff all of the time?'

To address the main topic: How have security firms 'failed'? Billions of dollars flow about the internet on a daily basis without a hitch. Huge amounts of data is seen by th

the security industry has failed to protect paying customers from some of today's most pernicious threats

This is a terribly ignorant statement. The security has actually succeeded in protecting paying customers from all but the most pernicious threats. IT security is about reducing risk, and that's what it does--successfully.

It is an ignorant statement but not for the reason you cite and the sentence should read;
"Microsoft has failed to protect paying customers from some of today's...".
The security industry can do little when given such a crap foundation to work from.

Well, given enough funding, IT Security could keep even Windows boxes to extremely low risk levels. Most companies, however, simply decide that $x dollars is enough to spend on Security, and so the Security team tries to get the most bang for that buck. You can block 99% of malware with a reasonable amount of security expense. To get to 99.9%, you will need to double or triple the cost. 100% is not possible, and most companies accept the risk that small amounts of malware get through.

One thing that shouldn't surprise me anymore but keeps surprising me is that it seems like the more money you pay for software, the more half-assed it is. You get an off-the-shelf product like Quickbooks, it's impressive. You look at stuff that's industry-specific, specialized software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.

I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.

I'm sure there are some exceptions to my experience, naturally. But these niche applications generally seem to be very expensive and primitive.

Back before beowulf clusters were common and most all supercomputers were priced in the 9 digits there was a phrase well known in the community - "Supercomputing is a synonym for unreliable computing."

In other words, if the market is small you suffer from all kinds of problems because there aren't enough users to generate enough bug reports and despite the high per unit pricing, volume is so low that there isn't enough money to pay for all the Q&A beyond the core functionality.

You get a consumer car like a Honda Insight, it's impressive. You look at [race cars] that's industry-specific, specialized hardware and software that doesn't have a lot of competition, it costs thousands and feels primitive in comparison. It must be the lack of competition means there's no real reason to improve the product beyond what it already does.
Fixed that for you.
When Quickbooks can handle the multi-million transaction ledger of an publicly traded enterprise come back and try again.

The dark side of computer "security" pays far better than the good side. I was contracted to setup a number of servers for a company, and as it turned out, they were part of this "dark side." I told them I had an ethical conflict, and decided to remove myself from the situation about 2 hours into it.

The problem is, other than the coders and the boss, many people do not know they are working for these companies. This particular company had about 15 people. 3 were in the know, the other 12 were support for shipping, gathering information, making contacts, and advertising, etc. When dealing with spyware/malware, there is a lot of butt covering, and evasion.

The programmers in particular were amazing coders, some of the best that graduated at the same university I went to. This is how I got contacted to help. Only after we started talking did I realize what they were all about. The pay was almost double what they would have made at a legitimate company.

There is no perfect security, offline or online.I like to say there are 3 main types of attacks:

Bots, worms, and other randomly spewed attacks.

Industry targeted attacks. An attacker wants to compromise a bank, any bank, and will go for the easiest target

Comany or resource targeted attack. An attacker wants access to you specifically.

We have mechanisms that are pretty good at class 1. We can shore up our defenses enough to not be the low hanging fruit to get some protection against level 2.

Level 3 is only starting to enter the public eye. There is no defense that will withstand a well funded targeted attack. The best you can do is make it too difficult for most attackers, and monitor and clean up after the really good ones.

This is true for airline security, concert security, bank security, web site security, and network security. There is no impenetrable defense for any of these. You minimize the risk as much as you can, then build your systems so they can be effectively monitored and rebuilt/restored in case of attack.

While there's no such thing as perfect security, there is definitely security that is about 20 times harder to penetrate than your typical bank website. Either that, or the various government spy agencies such as the NSA are in real trouble. Do those organizations get beaten at their own game? Absolutely. But it's a rare occurrence at best.

What I think you meant to say was "There's no security good enough to deter most criminal organizations available at a price that companies are willing to pay."

Fraud happens all the time, but the banks have developed heuristics to stop it before too much money is lost. Often transactions can be rolled back and accounts frozen before the money disapears, but not always.

Banks do lose huge amounts of money however, much of it through credit card fraud. That's the reason credit card interest rates are as high as they are. Customers are willing to pay those rates for easy access to money, so there is no incentive for US banks

Here's how our most sensitive secrets are protected: Air gapped, behind massive physical security including guys with M-16s.

Our nukes are especially well protected, and a study of how they do it is quite telling.A google search for "nuclear security air force" reveals a lot about the good and bad of the approach, including some high profile failures.

Note that they are not doing business or interfacing with the public on a regular basis. Airgaps are great until you actually want to give things to some peopl

That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution. And if you're a "high visibility target" then you are going to need even more, defense in depth and a dedicated team for your security. It's not reasonable to expect "but I installed Norton!" to come from a CEO of a big company for example. Bigger assets require better, customized defenses.

Bigger targets attract more than script kiddies and people that are buying hacking kits. They attract entire groups and organizations of highly skilled and specialized hackers that know how to analyze your defenses, have experience getting around all but the industrial grade security tools, and can customize their work and cover their tracks.

It's no different than complaining that neighborhood security is a mess because your padlock didn't keep your bike from getting stolen. If you have a really nice bike, and a smart thief really wants it, you'd better have something better than a crappy $7 masterlock on it. You can't blame the lock if the bike gets stolen. You were using the wrong tool for the job and the outcome should come as no surprise. You were expecting way too much (security) from way too little.

So do people constantly attack Bill Gates accounts? I mean he is like the most obvious target in the world. And besides its not like he'd miss a million dollars if you managed to get to it. It would be like a trophy. Can you even monitor 40+ billion dollars? Can you really monitor a billion anything?

They probably try, but there is also the matter of attack surface. Gates has no reason to have much of any. There is also the fact that, while far from my favorite person, he is not an idiot. The same cannot be said for the C-level execs of many large businesses with very large attack surfaces.

>That's what makes "spear-phishing" so ridiculously dangerous - if the attacker is spending his entire day on you specifically, you're going to need a little more than an off-the-shelf unmonitored solution.

Not to mention AV programs simply scan for yesterday's threats. I think we bank too much on them as proactive protection. Locking down your desktops, adhering to the principle of least user access, and not using software that is full of exploits is a much smarter way to go.

The most wide spread vulnerability to internet activity today is not something that can be fixed with an anti virus program, or any kind of program for that matter. When it comes down to it, the primary vulnerability is the meat bag sitting at the keyboard. People are stupid. They don't mean to be. They don't try to be. Still, they are (myself included on plenty of occasions). As a result, all a successful hack has to rely on is convincing a large number of stupid people to do something stupid. That's reall

Our state CISO [pennlive.com] was fired when he got back from the conference because he spoke about a hacking incident to the state's DOT site which allows one to schedule driver's exams. Apparently, it was initially presumed the attack came from Russia but was later found to have come from Philadelphia where a driving school had exploited a vulnerability in the web site to schedule more driving tests than there were allotted slots.

By exploiting this vulnerability, the driving school was able to close all available slots EXCEPT for the school so everyone else had to wait up to 6 weeks to schedule a test.

He was a scheduled presenter with over 24 years in IT in both the public and private sector. He was recognized, according to the RSA schedule, as "one of the most high-profile experts in the field of securing the data of American citizens today."

As you read the comments after the article, it's clear that some folks with knowledge of the subject insist he went out of bounds on the subject while others consider what he did to be a normal part of the IT security process.

I'm only posting this as it does relate to the overall RSA conference. Note that the web site indicated will probably prevent reading the article after a certain time has passed so read it now. In addition, here are two other sites which talk about the firing:

Fast moving exploits blow right past these security products. The whole industry is based on "identify new threats, develop a detection routine, include it in the next update". So from the time the "assault" starts there's the time it takes for someone to find it and report it to the security product company. Then there's the time it takes for that company to analyse the threat and code a detection - and then there's another delay while customers wait for the next update cycle to come along.

You can have your shit locked down 6 billion ways to Sunday.The minute you introduce the human element into it, you have a massive security hole that can be patched, but NEVER closed.You can train and train and train. Ennui sets in and their brains shut off after a while.You can have the most draconian policies regarding proper usage. People will still circumvent it, accidentally or deliberately.You can fire people. It just creates ill will and the damage is already done.And, if it happens to be the owner

If you read "The Cuckoo's Egg", you will be both charmed and horrified about how quaintly computer security was regarded by the United States government in the early years of the Internet. The insane thing is that despite all the time that has passed since then, we still have lone basement hackers discovering tears in the fabric of the Internet like when Dan Kaminsky found his DNS flaw.

I believe the Chinese attack on Google has finally woken up a lot of very important people. I was stunned that Hillary Clin

We should feel lucky we don't have Cylons yet. They hacked 5 layers of firewalls in a matter of several minutes...and it took many episodes and a reboot via hot skin job sticking things into her arm before they finally removed all trace of the virus.

NO technology will do your thinking for you. NO product will protect you if you don't know enough to protect yourself. Antiviruses, deep packet inspection, intrusion detection, etc: they are all useless - worse than that: they are expensive useless, designed more to make somebody else money that to protect the end user. The ONLY thing that will protect you is knowledge. When will people learn that if they want the benefits of modern technology, understanding it is not optional?

Perfectly perfect installs of antivirus? As in, perfect enough to be NSA backdoors? Other articles mentioned that the exploits were there because of NSA mandates for data access that we can safely assume to include internet-facing Windows computers. If that's true, then the NSA are a helluva lot more stupid(or lazy) than they claim to be.

Yeah and then Schneiner stated in a retraction that that wasn't the case.

As for who has the authority... that would be the anti-virus vendor. The same people who you've given the authority to tell you what is a virus today.

So the same people that this article is pointing out that are failing to actually protect people? Oh and let's not even get to how many false positives and negatives that are well-known to happen with all the security suites.

Not automatic, but whitelisting security systems like that exist. Core Force [wikipedia.org] is the one I know of. It has some sort of system for sharing whitelists for specific applications among users.

In a whitelisting system, how do ISVs get their products and updates to their products into the major antivirus companies' whitelists? Sure, a business's IT department should handle that in a business situation, but home users often don't have a competent IT department.

As I mentioned before, the web in a way handles this by simply not allowing "web applications" to do anything really damaging. That concept is how I think applications should actually evolve, although it is hard to define "not doing damage" for an application.

The Sugar operating system on OLPC's XO-1 laptop has an interesting model for sandboxing applications, called Bitfrost [laptop.org]. But then Bitfrost presents a new API onto which Win32 and POSIX don't easily map.

To some extent, current anti-virus companies, I believe, handle this by continually checking their software against popular software packages and making sure they do not get marked as false positives (or, well, actually have viruses in them).

Some do a better job than others. ClamWin, in particular, uses the ClamAV definitions that are designed more for scanning e-mail than for scanning a hard drive, and for files that aren't often e-mailed (such as Excel.exe), ClamWin shows all sorts of false matches.

In short, yes, whitelisting has issues because, as you say, maintaining the whitelist sanely and securely is a difficult (impossible?) problem.

The reason a user can overwrite something in system32 is more an OS security issue than an antivirus security issue. An exploit often runs with administrator rights, (because that's how many Windows users run) and therefore can overwrite anything in the system. The problem isn't just the security vendors' fault. The problem also lies with OS writers who create a product that either a) defaults the user to superuser/admin, or b) is useless and annoying unless you are running as superuser/admin. Stripping away superuser rights through RBAC would not solve the issue, but would go a long way towards making such exploits more difficult.

Here's a radical new concept. How about an antivirus program that BLOCKS file writes to the operating system UNLESS that file can be confirmed to be "good"?

And how do you think this is going to happen? If it's manual then most users are going to just click through saying it's good all the time or when they get fed up by this behavior they'll just uninstall it. If automatic, how exactly do you expect something to perfectly determine whether something is good or bad? Because if it can't do it with 100% accuracy, then you're going to get lots of complaints about bad files being thought of as good or good files being shitcanned as being bad.

And how do you think this is going to happen? If it's manual then most users are going to just click through saying it's good all the time or when they get fed up by this behavior they'll just uninstall it.

If computer security has taught us anything, and it hasn't, it's that you can't protect users from themselves. Not only are they their own worst enemies, but they are never the person they blame when this happens. All PC's should come standard with a mirror.

I'm not letting MS off the hook - they need to get their sh!t together, but it's impossible to retrofit all the XP (and older... and newer) desktops out there with a magic bullet. At some point the users need to share the blame and responsibility for t

These exist, bit9 has one of the better ones out there. Also, the Unix package management system functions as a defacto whitelist approach. The problem is whitelisting limits what you can install. Adding programs to the whitelist is time intensive, and the major benefit of Windows is the fact that there's so much stuff out there you can run on it..

Whitelisting is a good approach for certain locked down, single purpose terminals, but for general computing you might just as well deploy Ubuntu to your users

Note that that was installed from a non-Ubuntu source, effectively breaking the whitelist.

It's simple to tell your users they can only install from the Ubuntu repositories, and set up controls that would keep most users from being able to install other software...

Once again, no defense against a skilled user who really wanted to install something either in windows or Linux, but setting the policy along with reasonable protection measures keeps most users from installing dancing bears screen saver malware.

It's called permission. yes you can still get past the user by confusing of tricking them. but any OS that allows a user (not a superuser but a regular user) to run a program that silently infects a system file is a defective and poorly written system.

People claim that OSX has no viruses because it's a tiny target. Most people that have a mac have a lot more money than a PC user, that makes them a juicy target for stealing info. yet I still dont see the flood of problems under OSX. Why? it's the underlying security model of the OS that BSD brought to the table and that Linux also has. Your userland app CAN NOT WRITE TO OS FILES without permission.

To hell with telling good from bad, let's violently force all OS's to stop the poorly designed behavior of allowing ANY app to happily write to system files. That mans getting rid of the security nightmare abortion that is the registry.

How can a perfectly installed AV detect a new virus or malware that does not have a previously identified signature? Or is being implemented in an entirely new way which is not currently in the AV or security programs list of possible intrusion scenarios? Av and security programs are nothing more than window dressing allowing IT execs to say look we are doing all we can to prevent these problems what else can I do? Their bosses see the programs running and believe they are safe.

The problem with that is that a lot of the links promise to take you to a picture of a kitten doing something cute. Unfortunately, there is no known method for keeping certain types of people from clicking on kitten-related links. Sad, but true.

you don't need to click any more. Most of the malware I'm cleaning up these days is delivered via Flash, and distributed by advertisement servers that have been hacked. All you have to do is visit a site that gets paid to serve random ads, and you can get infected.

When people call me a thief for viewing pages without ads (by blocking Flash), I rebut with this. I trust Slashdot. I may not trust Slashdot's advertising partners. And Slashdot doesn't (and probably can't) vet the ads before they're displayed.

That's fine... until you visit a random forum to ask a random question and some idiot has an avatar.gif with an embedded trojan that has just now found its way into your harddrive's temp file. The only warning you get is when you see that Java is running in the system tray for a split second. Then kiss your afternoon's productivity goodbye.